The NotPetya ‘Not’ Killswitch
In the past few days a new Petya-like ransomware, dubbed NotPetya, infected machines across the world by leveraging some of the NSA’s exploits for the SMB protocol (EternalBlue, EternalRomance), similarly to the WannaCry attack last month. This attack overwrites the MBR (Master Boot Record) and encrypts the file-system, rendering the system inoperable. A “killswitch” has been found by researchers which, according to them, can render the attack useless by simply creating a file on the endpoint filesystem. This was later regarded as more of a method of vaccination rather than a killswitch. A crucial detail about the “killswitch” was never mentioned: the “killswitch” is only partially effective against the malware that is currently in the wild and will work only if the malware loads into an elevated process, which means that it may still cause damage and hold your files ransom even when your endpoint is "vaccinated."
“Killswitch” Brief Analysis
The NotPetya variant comes as a DLL. In order to execute and analyze it the following command can be run: “rundll32.exe NotPetya.dll,#1”.
In one of its first stages of execution, the malware searches the C:\Windows directory for a file that matches the name of the malware’s DLL without the extension, i.e. a file named “NotPetya” (C:\Windows\NotPetya). If the file is found, the malware will terminate the process by calling ExitProcess.
In the wild, the name of this file seems to be “perfc” (as confirmed by multiple sources).
Figure 1: Generating the path for the file-based mutex.
Figure 2: Checking and creating the mutex file on the endpoint.
This behavior looks more like an attempt to prevent the malware from running more than once and reinfecting the endpoint. Many times this is done by simply using the registry but this time it’s a file-based mutex. So if we were to rely on the malware's behavior, creating the file should in theory prevent the malware from causing any damage. When we tried this quick fix method it didn't work for us at first.
Looking at the Bigger Picture
A critical detail has been overlooked: the specific conditions that lead to "killswitch" function being called. This is indeed one of the first stages of execution of the malware but it is certainly not the first. The malware first initializes globals and enables the required privileges for its operations. These privileges are available exclusively to processes running under administrative user accounts and only when run with elevated privileges.
Figure 3: Initializing privileges and globals.
Just before checking for the existence of the file in C:\Windows, the malware checks if the process has the debug privilege set, which is only possible when it runs with elevated privileges. Otherwise it will just start encrypting the files on disk and spreading to other computers on the network without harming the MBR.
In simple terms, if the malware does NOT run with elevated privileges, it will encrypt your system regardless of the aforementioned "killswitch".
Figure 4: Check if debug privilege is set and proceed accordingly.
Summary & Recommendations
- Patch all your systems with the patch released for MS17-010. These vulnerabilities are extremely dangerous and enable quick infection across the entire organization.
- Do not rely on the published “killswitch" or "fix," as it is easy to bypass and only partial at best. Systems may still be encrypted.
- SMB ports should not accessible from the internet, even on patched systems.
- Do not pay the ransom, the files will not be restored.
enSilo’s endpoint protection software protects you from NotPetya and a lot more.